Advisory

Software: Shop PBS

Type: Cross Site Scripting

Severity: Medium

Vulnerability Type: Input Validation Error

Overview:- There exists a cross-site scripting vulnerability as the input in the parameter "keyword" is not filtered properly sanatised in the index.jsp

Description:- The cross-site scripting bug can be executed with a URL like so:

This issue could permit a remote attacker to create a malicious URL link that includes hostile HTML and script code. If this link were to be followed, the hostile code may be rendered in the web browser of the victim user. This would occur in the security context of the affected Web site.

proof of Concept:-

http://www.shoppbs.org/searchHandler/index.jsp?keywords=
"<"script">"alert%28document.cookie%29"<"/script">"&x=31
&y=11"

Solution:
--------------------
There is no vendor-supplied patch for this issue at
this time.

Credit:-
KeyShore


...Kishore works with me and he came accross this one..:)
Cheers
SumSid